How a single spam from China ended up as an attack on the White House


FoxNews leads today with a dramatic story entitled "Washington confirms Chinese hack attack on White House computer."

In other important news, experts confirmed that there was a "high probability" that tomorrow, 03 October 2012, due to the rotation of the earth on its axis, the sun would once again give the impression of rising in the East. They also claimed that dinosaurs would "in all likelihood" continue in their state of alleged extinction.

Do we really need major headlines of this sort? What information do their stories convey?

Fox dedicated over 660 words to the Chinese hacking story, but after careful reading it seems pretty clear that the incident, and the story, can be simplified quite significantly.

Here it is in 40 words, for a compression ratio of over 94%:

* A malicious spam from a computer in China reached a single unclassified computer in the White House Communications Agency.

* The computer may or may not have become infected as a result.

* Protection against malware and hackers is a good idea.

You may stand down from any coloured, or even lightly tinted, type of alert.

Please be careful of reading too much into tales like this. They may very well be true, but they may also merely distract you from other clear and present dangers in the computer security field.

To help you out, here are some of the tell-tale signs that a story of this sort has undergone what I will politely refer to as "reverse compression".

1. The article has as its primary source another article which, on careful reading, is merely the same uncertainty in different clothing.

(The Fox News story relies exclusively on a Free Beacon article that, itself "reverse compressed" to over 1700 words, offers no actionable evidence.)

2. The article, and its primary source, use emotive and dramatic language even when noting assumptions and speculations.

(Examples here include words like "alarming," "grave strategic damage", "revolutionary military capabilities" and "most brazen cyberattack".)

3. The article contains numerous words of caution that don't distract from the drama but quietly confirm the uncertainty of the conclusions.

(Examples here include "sources partly confirmed", "Free Beacon claimed" and "attempted hacking.")

4. The article introduces a second story or issue in a way that invites you to infer a cause-and-effect relationship without actually claiming one.

(Examples here include "China recently moved maritime patrol boats into waters near the [islands disputed with Japan]" and "reportedly including systems used by the military for nuclear commands".)

5. A convenient security expert pops up who's willing to go on record as saying that we're losing the battle and we need to change our game.

(Here, we have an outside expert in whose mouth the article can stash claims like "the cybersecurity industry is woefully behind the curve," "training simply does not work," and "we must rapidly adopt new technologies.")

The training doesn't work meme is commonly heard these days - we've covered it in a Naked Security piece that helps you decide whether it's true, or even likely - and has become a handy watch-cry for sales guys touting a new technology that they claim can obviate the need for training at all.

I'll leave it to you to decide whether that's what's happened here, and I'll leave it to you to decide just how credulous you ought to be when you see a single malware-laden spam from a Chinese PC extrapolated into a story about a "cyberbreach [that] was one of Beijing's most brazen cyberattacks against the United States."

Be careful out there. Whether you're an FDR admirer or not, he might have been speaking about cyberthreats and our twenty-first century response to them when he said, "the only thing we have to fear is fear itself."

Source: naked security 10/2/2012

0 comments:

Post a Comment